lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 May 2004 17:24:39 +0100 (MEST) From: "Aleksandar Milivojevic" <alex@...ivojevic.org> To: bugtraq@...urityfocus.com Subject: Somebody exploiting (badly designed) yahoo service? I don't know if this is something new, or something old. Yeasterday I received couple of emails (apperently from people I know). Emails were text/html, and contained only this text: http://drs.yahoo.com/milivojevic.org/NEWS Text was acutally linked to: http://drs.yahoo.com/milivojevic.org/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/milivojevic.org/NEWS Downloading the above link using wget, drs.yahoo.com redirects to: http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/ This page contains some JavaScript (after couple of empty screens) that seems to open off-screen window (or at least it looks like that to me) and loads terra.html from the same site. Downloading terra.html using wget, there's some more JavaScript (again after several empty screens) and some obfuscating code inside that I haven't analyzed in depth. Anybody seen this before? Is this some kind of virus, worm, spyware, or simply a spam? Looking at received headers of emails, it doesn't look like spam. When I contacted the people who were listed as senders, they said they never sent it (but that they suspect they might be infected by some virus). I'll be contacting Yahoo about this (obviously, whatever they have at drs.yahoo.com isn't designed with security in mind), however I'm interested if anybody else saw/got this, and if he/she knows what it is. Thanks for any info/pointers Aleksandar Milivojevic
Powered by blists - more mailing lists